Oh, swell. Just when you thought it couldn't possibly get any worse, here comes another report of Sony DRM anti-customer treachery. J. Alex Haldeman on Freedom to Tinker describes in detail yet another DRM scheme from Sony, SunnComm's MediaMax. It's not a rootkit this time, like XCP. He calls it spyware. While Sony has said it has temporarily halted shipments of the XCP rootkit, it hasn't promised to stop shipping CDs with this junk on it, from all I can determine. Haldeman describes how it works at length, but here's the executive summary:

They install software without meaningful consent or notification, they include either no means of uninstalling the software or an uninstaller that claims to remove the entire program but doesn’t, and they transmit information about user activities to SunnComm despite statements to the contrary in the end user license agreement and on SunnComm’s web site.

Charming.

Here's the part that makes my skin crawl:

But before the agreement appears, MediaMax installs around a dozen files that consume more than 12 MB on the hard disk. ...These files remain installed even if you decline the agreement. One of them, a kernel-level driver with the cryptic name “sbcphid”, is both installed and launched. This component is the heart of the copy protection system. When it is running, it attempts to block CD ripping and copying applications from reading the audio tracks on SunnComm-protected discs. MediaMax refrains from making one final change until after you accept the license—it doesn’t set the driver to automatically run again every time Windows starts. Nevertheless, the code keeps running until the computer is restarted and remains on the hard disk indefinitely, even if the agreement is declined.

However, the EULA says it will install software only *after* you say yes to the EULA:

As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER.

This is bad. Very bad for Sony. Deceitful EULAs can get you sued, methinks. If you want your hair to turn white, though, read the details about the phoning home. It seems they wish to send you third-party ads, according to the account, so every time you play a CD, they get to know what you are playing and some important details about you, like your IP address and what operating system you use. Say, how about your security? Think it might be a security problem for you if software you don't know about is placed on your computer? Duh. Haldeman is more tactful:

Does MediaMax also create security problems as serious as the Sony rootkit’s? Finding out for sure may be difficult, since the license agreement specifically prohibits disassembling the software. However, it certainly causes unnecessary risk. Playing a regular audio CD doesn’t require you to install any new software, so it involves minimal danger. Playing First4Internet or SunnComm discs means not only installing new software but trusting that software with full control of your computer. After last week’s revelations about the Sony rootkit, such trust does not seem well deserved.

So, another loathsome Sony DRM scheme, which installs a driver even if you say no to the EULA, calls home with info about you, and can't be uninstalled with normal techniques. Both Macs and Windows are vulnerable, although at least on Macs there is no autoplay.

Most users would probably accept that media companies have some sort of right to protect the product they sell, but hijacking a user's computer is universally felt not to be part of those rights.

By using this kind of DRM, Sony has made itself an enemy of the user. Users seem to be pretty much united in feeling that the existing implicit and explicit societal compacts that exist between someone that sells something and someone that buys it are being egregiously violated by Sony's course of action.

Haldeman tells you how to check if you are "infected" and are running XP. What can you do if you are? Well, you can certainly live and learn. We know now that Sony has gone nuts over DRM. But let's face it. It's the customers who'd have to be nuts to buy treacherous music like this.

Speaking of learning, what kind of DRM surprises does the rest of the music industry have in store for us? I hope someone is checking. I seriously doubt Sony is unique in its DRM dreams, even if it was apparently the first to try the XCP DRM rootkit. Clearly we haven't been watching as closely as we must.

In the complaint [PDF] just filed in New York against Sony and First 4 Internet, one paragraph sums up the fundamental problem as the plaintiffs see it:

5. In encoding the disks XCP, Sony and F4i have decided that their intellectual propery is more deserving of protection than the intellectual property and personal information on millions of personal computers worldwide.

The plaintiffs claim that to date over 3 million copies of XCP encoded disks have been sold. And they point out that Sony distributes under a number of labels, including Columbia, Epic, Sparrow, Delicious Vinyl, Masterworks, and others.

Why MediaMax? What is the purpose?

According to the SunComm Web site, their MediaMax DRM allows for a limited amount of CD burns from the source material, and then will block further copying. The DRM also can make time-expiring (or number-of-play-expiring) copies of the tracks. . . .

So, while Sony may be backing down from its acts regarding Windows modification, it is yet to be seen whether the recent firestorms will cause it to pull the DRM installed on Macs.

Time-expiring copies? So they not only want to prevent sharing music with a friend, what they call "casual copying," now they want music you buy to evaporate? Oh, fine. This is grand. Next we'll hear they have a Final Solution to the P2P problem. Too extreme? How about an electric shock, then? Or at least a script that pops the CD tray open and hits the infringer on his noggin?

Seriously though, let's think for just a minute about the big picture. Fair use is part of copyright law, is it not? So, if we are all going to be law-abiding, that means that copyright holders have to abide by the law, too, just like customers do. No? But when DRM schemes cut off all possibility of fair use, is that lawful? Leave aside the legality of hijacking someone else's computer. Just think about fair use. Here's how the US Copyright Office explains fair use:

One of the rights accorded to the owner of copyright is the right to reproduce or to authorize others to reproduce the work in copies or phonorecords. This right is subject to certain limitations found in sections 107 through 118 of the copyright act (title 17, U.S. Code). One of the more important limitations is the doctrine of “fair use.” Although fair use was not mentioned in the previous copyright law, the doctrine has developed through a substantial number of court decisions over the years. This doctrine has been codified in section 107 of the copyright law.

Catch that? The copyright holder's rights are "subject to certain limitations" by law. That's what "codified" means, that it's part of the law, not just a nice idea. So, if you design DRM, is there not a legal duty to incorporate those "certain limitations" into your scheme so as to make sure that those legal fair use rights are not only technically still possible but ensured? If you answer no, what is the legal basis for your answer? No. Really. On what legal basis do you argue that fair use can be ignored or prevented under the law? I only ask these questions because it does seem like it's time to get back to fundamentals. These entertainment dudes have run amok, and they are endangering the rest of us. Maybe if they are compelled to abide by fair use -- and why shouldn't they be? -- it will trim their appallingly hostile DRM schemes back to a bearable level. At least it will force them to concern themselves with their customers' rights, which they apparently don't know how to do on their own any more.